CVE-2023-1578
published 2023-03-22CVE-2023-1578: SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.19.
PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
65.11%
99.2th percentile
SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.19.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | apptainer_apptainer | >= 1.2.0 < 1.2.1 | 1.2.1 |
| pimcore | pimcore | < 10.5.19 | 10.5.19 |
| pimcore | pimcore | >= 0 < 10.5.19 | 10.5.19 |
| pimcore | pimcore_pimcore | >= unspecified < 10.5.19 | 10.5.19 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.06.7MEDIUMCVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Ineffective privileges drop when requesting container network
ghsa·2023-07-25
CVE-2023-38496 [MEDIUM] CWE-269 Ineffective privileges drop when requesting container network
Ineffective privileges drop when requesting container network
### Impact
Fix https://github.com/apptainer/apptainer/pull/1523 included in Apptainer 1.2.0-rc.2 has introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges. The attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. Only affects setuid installations of Apptainer.
### Patches
The security fix https://github.com/apptainer/apptainer/pull/1578 has been included in Apptainer 1.2.1
### Workarounds
There is no known workaround outside of upgrading to Apptainer 1.2.1
OSV
Pimcore Remote Code Execution vulnerability in Search function
osv·2023-03-22
CVE-2023-1578 [MEDIUM] Pimcore Remote Code Execution vulnerability in Search function
Pimcore Remote Code Execution vulnerability in Search function
### Impact
Attacker can get full DB and maybe RCE knowing the WEBROOT path
### Patches
Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/commit/367b74488808d71ec3f66f4ca9e8df5217c2c8d2.patch
### Workarounds
Apply patch https://github.com/pimcore/pimcore/commit/367b74488808d71ec3f66f4ca9e8df5217c2c8d2.patch manually.
### References
#14538
GHSA
Pimcore Remote Code Execution vulnerability in Search function
ghsa·2023-03-22
CVE-2023-1578 [MEDIUM] CWE-89 Pimcore Remote Code Execution vulnerability in Search function
Pimcore Remote Code Execution vulnerability in Search function
### Impact
Attacker can get full DB and maybe RCE knowing the WEBROOT path
### Patches
Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/commit/367b74488808d71ec3f66f4ca9e8df5217c2c8d2.patch
### Workarounds
Apply patch https://github.com/pimcore/pimcore/commit/367b74488808d71ec3f66f4ca9e8df5217c2c8d2.patch manually.
### References
#14538
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-03-22
Published